diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 70897dc..e913e25 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -117646,7 +117646,7 @@ index c2c6e05..d0e6d1c 100644
+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index 64ff4d7..e9ebe7b 100644
+index 64ff4d7..f67e6ba 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -55,6 +55,7 @@
@@ -119407,7 +119407,7 @@ index 64ff4d7..e9ebe7b 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6425,7 +7122,252 @@ interface(`files_manage_generic_spool_dirs',`
+@@ -6425,7 +7122,273 @@ interface(`files_manage_generic_spool_dirs',`
## </summary>
## </param>
#
@@ -119572,6 +119572,27 @@ index 64ff4d7..e9ebe7b 100644
+
+########################################
+## <summary>
++## Relabel to and from all spool
++## directory types.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`files_relabel_all_spool_dirs',`
++ gen_require(`
++ attribute spoolfile;
++ type var_t;
++ ')
++
++ relabel_dirs_pattern($1, spoolfile, spoolfile)
++')
++
++########################################
++## <summary>
+## Search the contents of generic spool
+## directories (/var/spool).
+## </summary>
@@ -119661,7 +119682,7 @@ index 64ff4d7..e9ebe7b 100644
gen_require(`
type var_t, var_spool_t;
')
-@@ -6562,3 +7504,459 @@ interface(`files_unconfined',`
+@@ -6562,3 +7525,459 @@ interface(`files_unconfined',`
typeattribute $1 files_unconfined_type;
')
@@ -124404,7 +124425,7 @@ index 234a940..d340f20 100644
########################################
## <summary>
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
-index 5da7870..b5ab557 100644
+index 5da7870..6ce4f9d 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -8,12 +8,68 @@ policy_module(staff, 2.3.1)
@@ -124476,7 +124497,7 @@ index 5da7870..b5ab557 100644
optional_policy(`
apache_role(staff_r, staff_t)
')
-@@ -23,11 +79,106 @@ optional_policy(`
+@@ -23,11 +79,102 @@ optional_policy(`
')
optional_policy(`
@@ -124521,10 +124542,6 @@ index 5da7870..b5ab557 100644
+')
+
+optional_policy(`
-+ gnomeclock_dbus_chat(staff_t)
-+')
-+
-+optional_policy(`
+ gnome_role(staff_r, staff_t)
+')
+
@@ -124584,7 +124601,7 @@ index 5da7870..b5ab557 100644
')
optional_policy(`
-@@ -35,15 +186,31 @@ optional_policy(`
+@@ -35,15 +182,31 @@ optional_policy(`
')
optional_policy(`
@@ -124618,10 +124635,11 @@ index 5da7870..b5ab557 100644
')
optional_policy(`
-@@ -52,10 +219,55 @@ optional_policy(`
+@@ -52,10 +215,56 @@ optional_policy(`
')
optional_policy(`
++ systemd_dbus_chat_timedated(staff_t)
+ systemd_read_unit_files(staff_t)
+ systemd_exec_systemctl(staff_t)
+')
@@ -124674,7 +124692,7 @@ index 5da7870..b5ab557 100644
xserver_role(staff_r, staff_t)
')
-@@ -65,10 +277,6 @@ ifndef(`distro_redhat',`
+@@ -65,10 +274,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -124685,7 +124703,7 @@ index 5da7870..b5ab557 100644
cdrecord_role(staff_r, staff_t)
')
-@@ -78,10 +286,6 @@ ifndef(`distro_redhat',`
+@@ -78,10 +283,6 @@ ifndef(`distro_redhat',`
optional_policy(`
dbus_role_template(staff, staff_r, staff_t)
@@ -124696,7 +124714,7 @@ index 5da7870..b5ab557 100644
')
optional_policy(`
-@@ -101,10 +305,6 @@ ifndef(`distro_redhat',`
+@@ -101,10 +302,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -124707,7 +124725,7 @@ index 5da7870..b5ab557 100644
java_role(staff_r, staff_t)
')
-@@ -125,10 +325,6 @@ ifndef(`distro_redhat',`
+@@ -125,10 +322,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -124718,7 +124736,7 @@ index 5da7870..b5ab557 100644
pyzor_role(staff_r, staff_t)
')
-@@ -141,10 +337,6 @@ ifndef(`distro_redhat',`
+@@ -141,10 +334,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -124729,7 +124747,7 @@ index 5da7870..b5ab557 100644
spamassassin_role(staff_r, staff_t)
')
-@@ -176,3 +368,20 @@ ifndef(`distro_redhat',`
+@@ -176,3 +365,20 @@ ifndef(`distro_redhat',`
wireshark_role(staff_r, staff_t)
')
')
@@ -124779,7 +124797,7 @@ index ff92430..36740ea 100644
## <summary>
## Execute a generic bin program in the sysadm domain.
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
-index 88d0028..e1ba9a0 100644
+index 88d0028..42e9b2e 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -5,39 +5,73 @@ policy_module(sysadm, 2.5.1)
@@ -124893,7 +124911,15 @@ index 88d0028..e1ba9a0 100644
')
optional_policy(`
-@@ -110,6 +138,10 @@ optional_policy(`
+@@ -87,6 +115,7 @@ optional_policy(`
+
+ optional_policy(`
+ asterisk_stream_connect(sysadm_t)
++ asterisk_exec(sysadm_t)
+ ')
+
+ optional_policy(`
+@@ -110,6 +139,10 @@ optional_policy(`
')
optional_policy(`
@@ -124904,7 +124930,7 @@ index 88d0028..e1ba9a0 100644
certwatch_run(sysadm_t, sysadm_r)
')
-@@ -122,11 +154,19 @@ optional_policy(`
+@@ -122,11 +155,19 @@ optional_policy(`
')
optional_policy(`
@@ -124926,7 +124952,7 @@ index 88d0028..e1ba9a0 100644
')
optional_policy(`
-@@ -140,6 +180,10 @@ optional_policy(`
+@@ -140,6 +181,10 @@ optional_policy(`
')
optional_policy(`
@@ -124937,7 +124963,7 @@ index 88d0028..e1ba9a0 100644
dmesg_exec(sysadm_t)
')
-@@ -156,11 +200,11 @@ optional_policy(`
+@@ -156,11 +201,11 @@ optional_policy(`
')
optional_policy(`
@@ -124951,7 +124977,7 @@ index 88d0028..e1ba9a0 100644
')
optional_policy(`
-@@ -179,6 +223,13 @@ optional_policy(`
+@@ -179,6 +224,13 @@ optional_policy(`
ipsec_stream_connect(sysadm_t)
# for lsof
ipsec_getattr_key_sockets(sysadm_t)
@@ -124965,7 +124991,7 @@ index 88d0028..e1ba9a0 100644
')
optional_policy(`
-@@ -186,15 +237,20 @@ optional_policy(`
+@@ -186,15 +238,20 @@ optional_policy(`
')
optional_policy(`
@@ -124989,7 +125015,7 @@ index 88d0028..e1ba9a0 100644
')
optional_policy(`
-@@ -214,22 +270,20 @@ optional_policy(`
+@@ -214,22 +271,20 @@ optional_policy(`
modutils_run_depmod(sysadm_t, sysadm_r)
modutils_run_insmod(sysadm_t, sysadm_r)
modutils_run_update_mods(sysadm_t, sysadm_r)
@@ -125018,7 +125044,7 @@ index 88d0028..e1ba9a0 100644
')
optional_policy(`
-@@ -241,25 +295,47 @@ optional_policy(`
+@@ -241,25 +296,47 @@ optional_policy(`
')
optional_policy(`
@@ -125066,7 +125092,7 @@ index 88d0028..e1ba9a0 100644
portage_run(sysadm_t, sysadm_r)
portage_run_fetch(sysadm_t, sysadm_r)
portage_run_gcc_config(sysadm_t, sysadm_r)
-@@ -270,31 +346,36 @@ optional_policy(`
+@@ -270,31 +347,36 @@ optional_policy(`
')
optional_policy(`
@@ -125110,7 +125136,7 @@ index 88d0028..e1ba9a0 100644
')
optional_policy(`
-@@ -319,12 +400,18 @@ optional_policy(`
+@@ -319,12 +401,18 @@ optional_policy(`
')
optional_policy(`
@@ -125130,7 +125156,7 @@ index 88d0028..e1ba9a0 100644
')
optional_policy(`
-@@ -349,7 +436,18 @@ optional_policy(`
+@@ -349,7 +437,18 @@ optional_policy(`
')
optional_policy(`
@@ -125150,7 +125176,7 @@ index 88d0028..e1ba9a0 100644
')
optional_policy(`
-@@ -360,19 +458,15 @@ optional_policy(`
+@@ -360,19 +459,15 @@ optional_policy(`
')
optional_policy(`
@@ -125172,7 +125198,7 @@ index 88d0028..e1ba9a0 100644
')
optional_policy(`
-@@ -384,10 +478,6 @@ optional_policy(`
+@@ -384,10 +479,6 @@ optional_policy(`
')
optional_policy(`
@@ -125183,7 +125209,7 @@ index 88d0028..e1ba9a0 100644
usermanage_run_admin_passwd(sysadm_t, sysadm_r)
usermanage_run_groupadd(sysadm_t, sysadm_r)
usermanage_run_useradd(sysadm_t, sysadm_r)
-@@ -395,6 +485,9 @@ optional_policy(`
+@@ -395,6 +486,9 @@ optional_policy(`
optional_policy(`
virt_stream_connect(sysadm_t)
@@ -125193,7 +125219,7 @@ index 88d0028..e1ba9a0 100644
')
optional_policy(`
-@@ -402,31 +495,34 @@ optional_policy(`
+@@ -402,31 +496,34 @@ optional_policy(`
')
optional_policy(`
@@ -125234,7 +125260,7 @@ index 88d0028..e1ba9a0 100644
auth_role(sysadm_r, sysadm_t)
')
-@@ -439,10 +535,6 @@ ifndef(`distro_redhat',`
+@@ -439,10 +536,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -125245,7 +125271,7 @@ index 88d0028..e1ba9a0 100644
dbus_role_template(sysadm, sysadm_r, sysadm_t)
optional_policy(`
-@@ -463,15 +555,75 @@ ifndef(`distro_redhat',`
+@@ -463,15 +556,75 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -125986,7 +126012,7 @@ index 0000000..bac0dc0
+
diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
new file mode 100644
-index 0000000..09d96d1
+index 0000000..1c11aac
--- /dev/null
+++ b/policy/modules/roles/unconfineduser.te
@@ -0,0 +1,369 @@
@@ -126232,7 +126258,7 @@ index 0000000..09d96d1
+ ')
+
+ optional_policy(`
-+ gnomeclock_dbus_chat(unconfined_t)
++ systemd_dbus_chat_timedated(unconfined_t)
+ gnome_dbus_chat_gconfdefault(unconfined_t)
+ gnome_command_domtrans_gkeyringd(unconfined_dbusd_t,unconfined_t)
+ ')
@@ -131083,7 +131109,7 @@ index 28ad538..ebe81bf 100644
-/var/run/user(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
/var/(db|lib|adm)/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
-index 3efd5b6..7c0ea2d 100644
+index 3efd5b6..de75e59 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -23,11 +23,17 @@ interface(`auth_role',`
@@ -131601,7 +131627,7 @@ index 3efd5b6..7c0ea2d 100644
')
########################################
-@@ -1805,3 +1975,199 @@ interface(`auth_unconfined',`
+@@ -1805,3 +1975,200 @@ interface(`auth_unconfined',`
typeattribute $1 can_write_shadow_passwords;
typeattribute $1 can_relabelto_shadow_passwords;
')
@@ -131643,6 +131669,7 @@ index 3efd5b6..7c0ea2d 100644
+ files_etc_filetrans($1, shadow_t, file, "shadow")
+ files_etc_filetrans($1, shadow_t, file, "shadow-")
+ files_etc_filetrans($1, shadow_t, file, "gshadow")
++ files_etc_filetrans($1, shadow_t, file, "opasswd")
+ logging_log_named_filetrans($1, lastlog_t, file, "lastlog")
+ logging_log_named_filetrans($1, faillog_t, file, "tallylog")
+ logging_log_named_filetrans($1, faillog_t, file, "faillog")
@@ -133908,7 +133935,7 @@ index 24e7804..386109d 100644
+ allow $1 init_t:system undefined;
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index dd3be8d..1c57099 100644
+index dd3be8d..aab0c5a 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -11,10 +11,24 @@ gen_require(`
@@ -134143,7 +134170,7 @@ index dd3be8d..1c57099 100644
ifdef(`distro_gentoo',`
allow init_t self:process { getcap setcap };
-@@ -186,29 +268,176 @@ ifdef(`distro_gentoo',`
+@@ -186,29 +268,177 @@ ifdef(`distro_gentoo',`
')
ifdef(`distro_redhat',`
@@ -134289,7 +134316,8 @@ index dd3be8d..1c57099 100644
+systemd_relabelto_fifo_file_passwd_run(init_t)
+systemd_relabel_unit_dirs(init_t)
+systemd_relabel_unit_files(init_t)
-+systemd_create_unit_dirs(initrc_t)
++systemd_manage_unit_dirs(initrc_t)
++systemd_manage_unit_symlinks(initrc_t)
+systemd_config_all_services(initrc_t)
+systemd_read_unit_files(initrc_t)
+
@@ -134328,7 +134356,7 @@ index dd3be8d..1c57099 100644
')
optional_policy(`
-@@ -216,6 +445,27 @@ optional_policy(`
+@@ -216,6 +446,27 @@ optional_policy(`
')
optional_policy(`
@@ -134356,7 +134384,7 @@ index dd3be8d..1c57099 100644
unconfined_domain(init_t)
')
-@@ -225,8 +475,9 @@ optional_policy(`
+@@ -225,8 +476,9 @@ optional_policy(`
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -134368,7 +134396,7 @@ index dd3be8d..1c57099 100644
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
-@@ -257,12 +508,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -257,12 +509,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -134385,7 +134413,7 @@ index dd3be8d..1c57099 100644
manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
-@@ -278,23 +533,36 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -278,23 +534,36 @@ kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@@ -134428,7 +134456,7 @@ index dd3be8d..1c57099 100644
corenet_tcp_sendrecv_all_ports(initrc_t)
corenet_udp_sendrecv_all_ports(initrc_t)
corenet_tcp_connect_all_ports(initrc_t)
-@@ -302,9 +570,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -302,9 +571,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
dev_read_rand(initrc_t)
dev_read_urand(initrc_t)
@@ -134440,7 +134468,7 @@ index dd3be8d..1c57099 100644
dev_rw_sysfs(initrc_t)
dev_list_usbfs(initrc_t)
dev_read_framebuffer(initrc_t)
-@@ -312,8 +582,10 @@ dev_write_framebuffer(initrc_t)
+@@ -312,8 +583,10 @@ dev_write_framebuffer(initrc_t)
dev_read_realtime_clock(initrc_t)
dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
@@ -134451,7 +134479,7 @@ index dd3be8d..1c57099 100644
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
-@@ -321,8 +593,7 @@ dev_manage_generic_files(initrc_t)
+@@ -321,8 +594,7 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@@ -134461,7 +134489,7 @@ index dd3be8d..1c57099 100644
domain_kill_all_domains(initrc_t)
domain_signal_all_domains(initrc_t)
-@@ -331,7 +602,6 @@ domain_sigstop_all_domains(initrc_t)
+@@ -331,7 +603,6 @@ domain_sigstop_all_domains(initrc_t)
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
@@ -134469,7 +134497,7 @@ index dd3be8d..1c57099 100644
domain_getsession_all_domains(initrc_t)
domain_use_interactive_fds(initrc_t)
# for lsof which is used by alsa shutdown:
-@@ -339,6 +609,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -339,6 +610,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -134477,7 +134505,7 @@ index dd3be8d..1c57099 100644
files_getattr_all_dirs(initrc_t)
files_getattr_all_files(initrc_t)
-@@ -346,14 +617,15 @@ files_getattr_all_symlinks(initrc_t)
+@@ -346,14 +618,15 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -134495,7 +134523,7 @@ index dd3be8d..1c57099 100644
files_read_usr_files(initrc_t)
files_manage_urandom_seed(initrc_t)
files_manage_generic_spool(initrc_t)
-@@ -363,8 +635,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -363,8 +636,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -134509,7 +134537,7 @@ index dd3be8d..1c57099 100644
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
-@@ -374,10 +650,11 @@ fs_mount_all_fs(initrc_t)
+@@ -374,10 +651,11 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -134523,7 +134551,7 @@ index dd3be8d..1c57099 100644
mcs_process_set_categories(initrc_t)
mls_file_read_all_levels(initrc_t)
-@@ -386,6 +663,7 @@ mls_process_read_up(initrc_t)
+@@ -386,6 +664,7 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -134531,7 +134559,7 @@ index dd3be8d..1c57099 100644
selinux_get_enforce_mode(initrc_t)
-@@ -397,6 +675,7 @@ term_use_all_terms(initrc_t)
+@@ -397,6 +676,7 @@ term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t)
auth_rw_login_records(initrc_t)
@@ -134539,7 +134567,7 @@ index dd3be8d..1c57099 100644
auth_setattr_login_records(initrc_t)
auth_rw_lastlog(initrc_t)
auth_read_pam_pid(initrc_t)
-@@ -415,20 +694,18 @@ logging_read_all_logs(initrc_t)
+@@ -415,20 +695,18 @@ logging_read_all_logs(initrc_t)
logging_append_all_logs(initrc_t)
logging_read_audit_config(initrc_t)
@@ -134563,7 +134591,7 @@ index dd3be8d..1c57099 100644
ifdef(`distro_debian',`
dev_setattr_generic_dirs(initrc_t)
-@@ -450,7 +727,6 @@ ifdef(`distro_gentoo',`
+@@ -450,7 +728,6 @@ ifdef(`distro_gentoo',`
allow initrc_t self:process setfscreate;
dev_create_null_dev(initrc_t)
dev_create_zero_dev(initrc_t)
@@ -134571,7 +134599,7 @@ index dd3be8d..1c57099 100644
term_create_console_dev(initrc_t)
# unfortunately /sbin/rc does stupid tricks
-@@ -485,6 +761,10 @@ ifdef(`distro_gentoo',`
+@@ -485,6 +762,10 @@ ifdef(`distro_gentoo',`
sysnet_setattr_config(initrc_t)
optional_policy(`
@@ -134582,7 +134610,7 @@ index dd3be8d..1c57099 100644
alsa_read_lib(initrc_t)
')
-@@ -505,7 +785,7 @@ ifdef(`distro_redhat',`
+@@ -505,7 +786,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -134591,7 +134619,7 @@ index dd3be8d..1c57099 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -520,6 +800,7 @@ ifdef(`distro_redhat',`
+@@ -520,6 +801,7 @@ ifdef(`distro_redhat',`
files_create_boot_dirs(initrc_t)
files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t)
@@ -134599,7 +134627,7 @@ index dd3be8d..1c57099 100644
# wants to read /.fonts directory
files_read_default_files(initrc_t)
files_mountpoint(initrc_tmp_t)
-@@ -540,6 +821,7 @@ ifdef(`distro_redhat',`
+@@ -540,6 +822,7 @@ ifdef(`distro_redhat',`
miscfiles_rw_localization(initrc_t)
miscfiles_setattr_localization(initrc_t)
miscfiles_relabel_localization(initrc_t)
@@ -134607,7 +134635,7 @@ index dd3be8d..1c57099 100644
miscfiles_read_fonts(initrc_t)
miscfiles_read_hwdata(initrc_t)
-@@ -549,8 +831,40 @@ ifdef(`distro_redhat',`
+@@ -549,8 +832,40 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@@ -134648,7 +134676,7 @@ index dd3be8d..1c57099 100644
')
optional_policy(`
-@@ -558,14 +872,31 @@ ifdef(`distro_redhat',`
+@@ -558,14 +873,31 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -134680,7 +134708,7 @@ index dd3be8d..1c57099 100644
')
')
-@@ -576,6 +907,39 @@ ifdef(`distro_suse',`
+@@ -576,6 +908,39 @@ ifdef(`distro_suse',`
')
')
@@ -134720,7 +134748,7 @@ index dd3be8d..1c57099 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -588,6 +952,8 @@ optional_policy(`
+@@ -588,6 +953,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -134729,7 +134757,7 @@ index dd3be8d..1c57099 100644
')
optional_policy(`
-@@ -609,6 +975,7 @@ optional_policy(`
+@@ -609,6 +976,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@@ -134737,7 +134765,7 @@ index dd3be8d..1c57099 100644
')
optional_policy(`
-@@ -625,6 +992,17 @@ optional_policy(`
+@@ -625,6 +993,17 @@ optional_policy(`
')
optional_policy(`
@@ -134755,7 +134783,7 @@ index dd3be8d..1c57099 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -641,9 +1019,13 @@ optional_policy(`
+@@ -641,9 +1020,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -134769,7 +134797,7 @@ index dd3be8d..1c57099 100644
')
optional_policy(`
-@@ -656,15 +1038,11 @@ optional_policy(`
+@@ -656,15 +1039,11 @@ optional_policy(`
')
optional_policy(`
@@ -134787,7 +134815,7 @@ index dd3be8d..1c57099 100644
')
optional_policy(`
-@@ -685,6 +1063,15 @@ optional_policy(`
+@@ -685,6 +1064,15 @@ optional_policy(`
')
optional_policy(`
@@ -134803,7 +134831,7 @@ index dd3be8d..1c57099 100644
inn_exec_config(initrc_t)
')
-@@ -725,6 +1112,7 @@ optional_policy(`
+@@ -725,6 +1113,7 @@ optional_policy(`
lpd_list_spool(initrc_t)
lpd_read_config(initrc_t)
@@ -134811,7 +134839,7 @@ index dd3be8d..1c57099 100644
')
optional_policy(`
-@@ -742,7 +1130,14 @@ optional_policy(`
+@@ -742,7 +1131,14 @@ optional_policy(`
')
optional_policy(`
@@ -134826,7 +134854,7 @@ index dd3be8d..1c57099 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -765,6 +1160,10 @@ optional_policy(`
+@@ -765,6 +1161,10 @@ optional_policy(`
')
optional_policy(`
@@ -134837,7 +134865,7 @@ index dd3be8d..1c57099 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -774,10 +1173,20 @@ optional_policy(`
+@@ -774,10 +1174,20 @@ optional_policy(`
')
optional_policy(`
@@ -134858,7 +134886,7 @@ index dd3be8d..1c57099 100644
quota_manage_flags(initrc_t)
')
-@@ -786,6 +1195,10 @@ optional_policy(`
+@@ -786,6 +1196,10 @@ optional_policy(`
')
optional_policy(`
@@ -134869,7 +134897,7 @@ index dd3be8d..1c57099 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -807,8 +1220,6 @@ optional_policy(`
+@@ -807,8 +1221,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -134878,7 +134906,7 @@ index dd3be8d..1c57099 100644
')
optional_policy(`
-@@ -817,6 +1228,10 @@ optional_policy(`
+@@ -817,6 +1229,10 @@ optional_policy(`
')
optional_policy(`
@@ -134889,7 +134917,7 @@ index dd3be8d..1c57099 100644
# shorewall-init script run /var/lib/shorewall/firewall
shorewall_lib_domtrans(initrc_t)
')
-@@ -826,10 +1241,12 @@ optional_policy(`
+@@ -826,10 +1242,12 @@ optional_policy(`
squid_manage_logs(initrc_t)
')
@@ -134902,7 +134930,7 @@ index dd3be8d..1c57099 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -856,12 +1273,27 @@ optional_policy(`
+@@ -856,12 +1274,27 @@ optional_policy(`
')
optional_policy(`
@@ -134931,7 +134959,7 @@ index dd3be8d..1c57099 100644
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -871,6 +1303,18 @@ optional_policy(`
+@@ -871,6 +1304,18 @@ optional_policy(`
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -134950,7 +134978,7 @@ index dd3be8d..1c57099 100644
')
optional_policy(`
-@@ -886,6 +1330,10 @@ optional_policy(`
+@@ -886,6 +1331,10 @@ optional_policy(`
')
optional_policy(`
@@ -134961,7 +134989,7 @@ index dd3be8d..1c57099 100644
# Set device ownerships/modes.
xserver_setattr_console_pipes(initrc_t)
-@@ -896,3 +1344,185 @@ optional_policy(`
+@@ -896,3 +1345,185 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -137718,10 +137746,10 @@ index e8c59a5..7622d77 100644
')
diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc
-index 9fe8e01..6c86d76 100644
+index 9fe8e01..d5fe55a 100644
--- a/policy/modules/system/miscfiles.fc
+++ b/policy/modules/system/miscfiles.fc
-@@ -9,8 +9,9 @@ ifdef(`distro_gentoo',`
+@@ -9,11 +9,13 @@ ifdef(`distro_gentoo',`
# /etc
#
/etc/avahi/etc/localtime -- gen_context(system_u:object_r:locale_t,s0)
@@ -137733,7 +137761,11 @@ index 9fe8e01..6c86d76 100644
/etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0)
/etc/ssl(/.*)? gen_context(system_u:object_r:cert_t,s0)
/etc/timezone -- gen_context(system_u:object_r:locale_t,s0)
-@@ -37,11 +38,6 @@ ifdef(`distro_redhat',`
++/etc/vconsole.conf -- gen_context(system_u:object_r:locale_t,s0)
+
+ ifdef(`distro_redhat',`
+ /etc/sysconfig/clock -- gen_context(system_u:object_r:locale_t,s0)
+@@ -37,11 +39,6 @@ ifdef(`distro_redhat',`
/usr/lib/perl5/man(/.*)? gen_context(system_u:object_r:man_t,s0)
@@ -137745,7 +137777,7 @@ index 9fe8e01..6c86d76 100644
/usr/man(/.*)? gen_context(system_u:object_r:man_t,s0)
/usr/share/ca-certificates(/.*)? gen_context(system_u:object_r:cert_t,s0)
-@@ -77,8 +73,9 @@ ifdef(`distro_redhat',`
+@@ -77,8 +74,9 @@ ifdef(`distro_redhat',`
/var/cache/fontconfig(/.*)? gen_context(system_u:object_r:fonts_cache_t,s0)
/var/cache/fonts(/.*)? gen_context(system_u:object_r:tetex_data_t,s0)
@@ -137757,7 +137789,7 @@ index 9fe8e01..6c86d76 100644
/var/spool/abrt-upload(/.*)? gen_context(system_u:object_r:public_content_rw_t,s0)
diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if
-index fc28bc3..01b8523 100644
+index fc28bc3..e102068 100644
--- a/policy/modules/system/miscfiles.if
+++ b/policy/modules/system/miscfiles.if
@@ -106,6 +106,24 @@ interface(`miscfiles_manage_generic_cert_dirs',`
@@ -137862,7 +137894,7 @@ index fc28bc3..01b8523 100644
## Read public files used for file
## transfer services.
## </summary>
-@@ -784,8 +835,10 @@ interface(`miscfiles_etc_filetrans_localization',`
+@@ -784,8 +835,11 @@ interface(`miscfiles_etc_filetrans_localization',`
type locale_t;
')
@@ -137872,15 +137904,40 @@ index fc28bc3..01b8523 100644
+ files_etc_filetrans($1, locale_t, {lnk_file file}, "localtime" )
+ files_etc_filetrans($1, locale_t, file, "locale.conf" )
+ files_etc_filetrans($1, locale_t, file, "timezone" )
++ files_etc_filetrans($1, locale_t, file, "vconsole.conf" )
')
########################################
-@@ -809,3 +862,43 @@ interface(`miscfiles_manage_localization',`
+@@ -809,3 +863,60 @@ interface(`miscfiles_manage_localization',`
manage_lnk_files_pattern($1, locale_t, locale_t)
')
+########################################
+## <summary>
++## Transition to miscfiles locale named content
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`miscfiles_filetrans_locale_named_content',`
++ gen_require(`
++ type locale_t;
++ ')
++
++ files_etc_filetrans($1, locale_t, { lnk_file file }, "localtime")
++ files_etc_filetrans($1, locale_t, file, "locale.conf")
++ files_etc_filetrans($1, locale_t, file, "locale.conf.new")
++ files_etc_filetrans($1, locale_t, file, "timezone")
++ files_etc_filetrans($1, locale_t, file, "clock")
++ files_usr_filetrans($1, locale_t, dir, "locale")
++ files_usr_filetrans($1, locale_t, dir, "zoneinfo")
++')
++
++########################################
++## <summary>
+## Transition to miscfiles named content
+## </summary>
+## <param name="domain">
@@ -137891,7 +137948,6 @@ index fc28bc3..01b8523 100644
+#
+interface(`miscfiles_filetrans_named_content',`
+ gen_require(`
-+ type locale_t;
+ type man_t;
+ type cert_t;
+ type fonts_t;
@@ -137901,15 +137957,9 @@ index fc28bc3..01b8523 100644
+ type public_content_t;
+ ')
+
-+ files_etc_filetrans($1, locale_t, { lnk_file file }, "localtime")
-+ files_etc_filetrans($1, locale_t, file, "locale.conf")
-+ files_etc_filetrans($1, locale_t, file, "locale.conf.new")
++ miscfiles_filetrans_locale_named_content($1)
+ files_var_filetrans($1, man_t, dir, "man")
-+ files_etc_filetrans($1, locale_t, file, "timezone")
-+ files_etc_filetrans($1, locale_t, file, "clock")
+ files_etc_filetrans($1, cert_t, dir, "pki")
-+ files_usr_filetrans($1, locale_t, dir, "locale")
-+ files_usr_filetrans($1, locale_t, dir, "zoneinfo")
+ files_usr_filetrans($1, cert_t, dir, "certs")
+ files_usr_filetrans($1, fonts_t, dir, "fonts")
+ files_usr_filetrans($1, hwdata_t, dir, "hwdata")
@@ -141151,10 +141201,10 @@ index b7686d5..7f2928d 100644
+')
diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
new file mode 100644
-index 0000000..6d7c302
+index 0000000..4c08b36
--- /dev/null
+++ b/policy/modules/system/systemd.fc
-@@ -0,0 +1,34 @@
+@@ -0,0 +1,37 @@
+/bin/systemd-notify -- gen_context(system_u:object_r:systemd_notify_exec_t,s0)
+/bin/systemctl -- gen_context(system_u:object_r:systemd_systemctl_exec_t,s0)
+/bin/systemd-tty-ask-password-agent -- gen_context(system_u:object_r:systemd_passwd_agent_exec_t,s0)
@@ -141174,7 +141224,10 @@ index 0000000..6d7c302
+/usr/lib/systemd/system/.*sleep.* -- gen_context(system_u:object_r:power_unit_file_t,s0)
+/usr/lib/systemd/system/.*shutdown.* -- gen_context(system_u:object_r:power_unit_file_t,s0)
+/usr/lib/systemd/system/.*suspend.* -- gen_context(system_u:object_r:power_unit_file_t,s0)
-+/usr/lib/systemd/systemd-logind -- gen_context(system_u:object_r:systemd_logind_exec_t,s0)
++/usr/lib/systemd/systemd-hostnamed -- gen_context(system_u:object_r:systemd_hostnamed_exec_t,s0)
++/usr/lib/systemd/systemd-timedated -- gen_context(system_u:object_r:systemd_timedated_exec_t,s0)
++/usr/lib/systemd/systemd-logind -- gen_context(system_u:object_r:systemd_logind_exec_t,s0)
++/usr/lib/systemd/systemd-localed -- gen_context(system_u:object_r:systemd_localed_exec_t,s0)
+/usr/lib/systemd/systemd-logger -- gen_context(system_u:object_r:systemd_logger_exec_t,s0)
+/usr/lib/systemd/systemd-tmpfiles -- gen_context(system_u:object_r:systemd_tmpfiles_exec_t,s0)
+
@@ -141191,10 +141244,10 @@ index 0000000..6d7c302
+/var/run/initramfs(/.*)? <<none>>
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
new file mode 100644
-index 0000000..3e4cae7
+index 0000000..699dcef
--- /dev/null
+++ b/policy/modules/system/systemd.if
-@@ -0,0 +1,962 @@
+@@ -0,0 +1,1020 @@
+## <summary>SELinux policy for systemd components</summary>
+
+#######################################
@@ -141543,6 +141596,24 @@ index 0000000..3e4cae7
+ domtrans_pattern($1, systemd_tmpfiles_exec_t, systemd_tmpfiles_t)
+')
+
++#######################################
++## <summary>
++## Execute a domain transition to run systemd-localed.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`systemd_localed_domtrans',`
++ gen_require(`
++ type systemd_localed_t, systemd_localed_exec_t;
++ ')
++
++ domtrans_pattern($1, systemd_localed_exec_t, systemd_localed_t)
++')
++
+########################################
+## <summary>
+## Execute a domain transition to run systemd-tty-ask-password-agent.
@@ -141838,6 +141909,24 @@ index 0000000..3e4cae7
+
+########################################
+## <summary>
++## manage systemd unit link files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`systemd_manage_unit_symlinks',`
++ gen_require(`
++ attribute systemd_unit_file_type;
++ ')
++
++ manage_lnk_files_pattern($1, systemd_unit_file_type, systemd_unit_file_type)
++')
++
++########################################
++## <summary>
+## manage all systemd unit files
+## </summary>
+## <param name="domain">
@@ -142157,12 +142246,34 @@ index 0000000..3e4cae7
+ systemd_exec_systemctl($1)
+ allow $1 systemd_unit_file_type:service status;
+')
++
++########################################
++## <summary>
++## Send and receive messages from
++## systemd timedated over dbus.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`systemd_dbus_chat_timedated',`
++ gen_require(`
++ type systemd_timedated_t;
++ class dbus send_msg;
++ ')
++
++ allow $1 systemd_timedated_t:dbus send_msg;
++ allow systemd_timedated_t $1:dbus send_msg;
++')
++
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..dc3c408
+index 0000000..74c656b
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,451 @@
+@@ -0,0 +1,578 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@@ -142226,6 +142337,18 @@ index 0000000..dc3c408
+type systemd_systemctl_exec_t;
+corecmd_executable_file(systemd_systemctl_exec_t)
+
++type systemd_localed_t;
++type systemd_localed_exec_t;
++init_daemon_domain(systemd_localed_t, systemd_localed_exec_t)
++
++type systemd_hostnamed_t;
++type systemd_hostnamed_exec_t;
++init_daemon_domain(systemd_hostnamed_t, systemd_hostnamed_exec_t)
++
++type systemd_timedated_t alias gnomeclock_t;
++type systemd_timedated_exec_t;
++init_daemon_domain(systemd_timedated_t, systemd_timedated_exec_t)
++
+#######################################
+#
+# Systemd_logind local policy
@@ -142447,6 +142570,7 @@ index 0000000..dc3c408
+files_relabel_all_lock_dirs(systemd_tmpfiles_t)
+files_relabel_all_pid_dirs(systemd_tmpfiles_t)
+files_relabel_all_pid_files(systemd_tmpfiles_t)
++files_relabel_all_spool_dirs(systemd_tmpfiles_t)
+files_manage_all_pids(systemd_tmpfiles_t)
+files_manage_all_pid_dirs(systemd_tmpfiles_t)
+files_manage_all_locks(systemd_tmpfiles_t)
@@ -142562,7 +142686,6 @@ index 0000000..dc3c408
+
+init_rw_stream_sockets(systemd_notify_t)
+
-+
+optional_policy(`
+ readahead_manage_pid_files(systemd_notify_t)
+')
@@ -142614,6 +142737,121 @@ index 0000000..dc3c408
+init_read_state(systemctl_domain)
+init_list_pid_dirs(systemctl_domain)
+init_use_fds(systemctl_domain)
++
++#######################################
++#
++# Localed policy
++#
++allow systemd_localed_t self:process setfscreate;
++allow systemd_localed_t self:fifo_file rw_fifo_file_perms;
++allow systemd_localed_t self:unix_stream_socket create_stream_socket_perms;
++
++seutil_read_config(systemd_localed_t)
++seutil_read_file_contexts(systemd_localed_t)
++
++miscfiles_manage_localization(systemd_localed_t)
++miscfiles_etc_filetrans_localization(systemd_localed_t)
++
++optional_policy(`
++ dbus_connect_system_bus(systemd_localed_t)
++ dbus_system_bus_client(systemd_localed_t)
++')
++
++#######################################
++#
++# Hostnamed policy
++#
++allow systemd_hostnamed_t self:fifo_file rw_fifo_file_perms;
++allow systemd_hostnamed_t self:unix_stream_socket create_stream_socket_perms;
++
++init_status(systemd_hostnamed_t)
++
++optional_policy(`
++ dbus_system_bus_client(systemd_hostnamed_t)
++ dbus_connect_system_bus(systemd_hostnamed_t)
++')
++
++#######################################
++#
++# Timedated policy
++#
++allow systemd_timedated_t self:capability { sys_nice sys_time dac_override };
++allow systemd_timedated_t self:process { getattr getsched signal };
++allow systemd_timedated_t self:fifo_file rw_fifo_file_perms;
++allow systemd_timedated_t self:unix_stream_socket create_stream_socket_perms;
++allow systemd_timedated_t self:unix_dgram_socket create_socket_perms;
++
++kernel_read_system_state(systemd_timedated_t)
++
++corecmd_exec_bin(systemd_timedated_t)
++corecmd_exec_shell(systemd_timedated_t)
++corecmd_dontaudit_access_check_bin(systemd_timedated_t)
++
++corenet_tcp_connect_time_port(systemd_timedated_t)
++
++dev_rw_realtime_clock(systemd_timedated_t)
++dev_read_urand(systemd_timedated_t)
++dev_write_kmsg(systemd_timedated_t)
++dev_read_sysfs(systemd_timedated_t)
++
++files_read_etc_runtime_files(systemd_timedated_t)
++
++fs_getattr_xattr_fs(systemd_timedated_t)
++
++auth_use_nsswitch(systemd_timedated_t)
++
++init_dbus_chat(systemd_timedated_t)
++init_status(systemd_timedated_t)
++
++logging_stream_connect_syslog(systemd_timedated_t)
++logging_send_syslog_msg(systemd_timedated_t)
++
++miscfiles_manage_localization(systemd_timedated_t)
++miscfiles_etc_filetrans_localization(systemd_timedated_t)
++
++userdom_read_all_users_state(systemd_timedated_t)
++
++optional_policy(`
++ chronyd_systemctl(systemd_timedated_t)
++')
++
++optional_policy(`
++ clock_read_adjtime(systemd_timedated_t)
++ clock_domtrans(systemd_timedated_t)
++')
++
++optional_policy(`
++ consolekit_dbus_chat(systemd_timedated_t)
++')
++
++optional_policy(`
++ consoletype_exec(systemd_timedated_t)
++')
++
++optional_policy(`
++ dbus_system_bus_client(systemd_timedated_t)
++ dbus_connect_system_bus(systemd_timedated_t)
++')
++
++optional_policy(`
++ gnome_manage_usr_config(systemd_timedated_t)
++ gnome_manage_home_config(systemd_timedated_t)
++')
++
++optional_policy(`
++ ntp_domtrans_ntpdate(systemd_timedated_t)
++ ntp_initrc_domtrans(systemd_timedated_t)
++ init_dontaudit_getattr_all_script_files(systemd_timedated_t)
++ init_dontaudit_getattr_exec(systemd_timedated_t)
++ ntp_systemctl(systemd_timedated_t)
++')
++
++optional_policy(`
++ policykit_dbus_chat(systemd_timedated_t)
++ policykit_domtrans_auth(systemd_timedated_t)
++ policykit_read_lib(systemd_timedated_t)
++ policykit_read_reload(systemd_timedated_t)
++')
diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc
index 40928d8..49fd32e 100644
--- a/policy/modules/system/udev.fc
@@ -142912,7 +143150,7 @@ index 0f64692..d7e8a01 100644
########################################
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
-index a5ec88b..b31b982 100644
+index a5ec88b..32e7d9e 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -17,14 +17,12 @@ init_daemon_domain(udev_t, udev_exec_t)
@@ -143091,7 +143329,7 @@ index a5ec88b..b31b982 100644
# for arping used for static IP addresses on PCMCIA ethernet
netutils_domtrans(udev_t)
-@@ -226,6 +239,7 @@ optional_policy(`
+@@ -226,19 +239,34 @@ optional_policy(`
optional_policy(`
cups_domtrans_config(udev_t)
@@ -143099,7 +143337,13 @@ index a5ec88b..b31b982 100644
')
optional_policy(`
-@@ -235,10 +249,20 @@ optional_policy(`
+ dbus_system_bus_client(udev_t)
++
++ optional_policy(`
++ systemd_dbus_chat_logind(udev_t)
++ ')
+ ')
+
optional_policy(`
devicekit_read_pid_files(udev_t)
devicekit_dgram_send(udev_t)
@@ -143120,7 +143364,7 @@ index a5ec88b..b31b982 100644
')
optional_policy(`
-@@ -264,6 +288,10 @@ optional_policy(`
+@@ -264,6 +292,10 @@ optional_policy(`
')
optional_policy(`
@@ -143131,7 +143375,7 @@ index a5ec88b..b31b982 100644
openct_read_pid_files(udev_t)
openct_domtrans(udev_t)
')
-@@ -278,6 +306,15 @@ optional_policy(`
+@@ -278,6 +310,15 @@ optional_policy(`
')
optional_policy(`
@@ -143147,7 +143391,7 @@ index a5ec88b..b31b982 100644
unconfined_signal(udev_t)
')
-@@ -290,6 +327,7 @@ optional_policy(`
+@@ -290,6 +331,7 @@ optional_policy(`
kernel_read_xen_state(udev_t)
xen_manage_log(udev_t)
xen_read_image_files(udev_t)
@@ -143979,7 +144223,7 @@ index db75976..65191bd 100644
+
+/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 3c5dba7..81b2173 100644
+index 3c5dba7..2d9f96b 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -145273,7 +145517,7 @@ index 3c5dba7..81b2173 100644
+ ')
+
+ optional_policy(`
-+ gnomeclock_dbus_chat($1_t)
++ systemd_dbus_chat_timedated($1_t)
+ ')
+
+ optional_policy(`
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 6515ad8..c5c40e7 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -2131,10 +2131,10 @@ index 0000000..feabdf3
+ files_getattr_all_sockets(antivirus_domain)
+')
diff --git a/apache.fc b/apache.fc
-index 550a69e..dcb9d6e 100644
+index 550a69e..d2af19f 100644
--- a/apache.fc
+++ b/apache.fc
-@@ -1,161 +1,188 @@
+@@ -1,161 +1,184 @@
-HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
-HOME_DIR/((www)|(web)|(public_html))/cgi-bin(/.+)? gen_context(system_u:object_r:httpd_user_script_exec_t,s0)
+HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
@@ -2283,10 +2283,6 @@ index 550a69e..dcb9d6e 100644
+
+/usr/share/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/icecast(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-+/usr/share/mythweb(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-+/usr/share/mythweb/mythweb\.pl gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-+/usr/share/mythtv/mythweather/scripts(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-+/usr/share/mythtv/data(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/ntop/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/openca/htdocs(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/selinux-policy[^/]*/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
@@ -3757,7 +3753,7 @@ index 83e899c..7b2ad39 100644
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
')
diff --git a/apache.te b/apache.te
-index 1a82e29..93b55a0 100644
+index 1a82e29..8f88bc2 100644
--- a/apache.te
+++ b/apache.te
@@ -1,297 +1,353 @@
@@ -4986,40 +4982,39 @@ index 1a82e29..93b55a0 100644
')
optional_policy(`
-- pcscd_read_pid_files(httpd_t)
+ openshift_search_lib(httpd_t)
+ openshift_initrc_signull(httpd_t)
+ openshift_initrc_signal(httpd_t)
++')
++
++optional_policy(`
++ passenger_exec(httpd_t)
++ passenger_manage_pid_content(httpd_t)
++')
++
++optional_policy(`
+ pcscd_read_pid_files(httpd_t)
')
optional_policy(`
- postgresql_stream_connect(httpd_t)
- postgresql_unpriv_client(httpd_t)
-+ passenger_exec(httpd_t)
-+ passenger_manage_pid_content(httpd_t)
++ pki_apache_domain_signal(httpd_t)
++ pki_manage_apache_config_files(httpd_t)
++ pki_manage_apache_lib(httpd_t)
++ pki_manage_apache_log_files(httpd_t)
++ pki_manage_apache_run(httpd_t)
+')
- tunable_policy(`httpd_can_network_connect_db',`
- postgresql_tcp_connect(httpd_t)
- ')
+optional_policy(`
-+ pcscd_read_pub_files(httpd_t)
-+')
-+
-+optional_policy(`
-+ pki_apache_domain_signal(httpd_t)
-+ pki_manage_apache_config_files(httpd_t)
-+ pki_manage_apache_lib(httpd_t)
-+ pki_manage_apache_log_files(httpd_t)
-+ pki_manage_apache_run(httpd_t)
++ puppet_read_lib(httpd_t)
')
optional_policy(`
- puppet_read_lib_files(httpd_t)
-+ puppet_read_lib(httpd_t)
-+')
-+
-+optional_policy(`
+ pwauth_domtrans(httpd_t)
')
@@ -6373,10 +6368,36 @@ index fa18c76..fd6911a 100644
userdom_dontaudit_use_unpriv_user_fds(arpwatch_t)
diff --git a/asterisk.if b/asterisk.if
-index 7268a04..3a5dc33 100644
+index 7268a04..6ffd87d 100644
--- a/asterisk.if
+++ b/asterisk.if
-@@ -105,9 +105,13 @@ interface(`asterisk_admin',`
+@@ -19,6 +19,25 @@ interface(`asterisk_domtrans',`
+ domtrans_pattern($1, asterisk_exec_t, asterisk_t)
+ ')
+
++######################################
++## <summary>
++## Execute asterisk in the caller domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`asterisk_exec',`
++ gen_require(`
++ type asterisk_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ can_exec($1, asterisk_exec_t)
++')
++
+ #####################################
+ ## <summary>
+ ## Connect to asterisk over a unix domain.
+@@ -105,9 +124,13 @@ interface(`asterisk_admin',`
type asterisk_var_lib_t, asterisk_initrc_exec_t;
')
@@ -7075,10 +7096,10 @@ index 536ec3c..271b976 100644
-
-miscfiles_read_localization(bcfg2_t)
diff --git a/bind.fc b/bind.fc
-index 2b9a3a1..1cb1b4f 100644
+index 2b9a3a1..b5dadee 100644
--- a/bind.fc
+++ b/bind.fc
-@@ -1,54 +1,70 @@
+@@ -1,54 +1,71 @@
-/etc/rc\.d/init\.d/named -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/unbound -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/named -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
@@ -7114,6 +7135,7 @@ index 2b9a3a1..1cb1b4f 100644
+/usr/sbin/r?ndc -- gen_context(system_u:object_r:ndc_exec_t,s0)
/usr/sbin/unbound -- gen_context(system_u:object_r:named_exec_t,s0)
+/usr/sbin/unbound-anchor -- gen_context(system_u:object_r:named_exec_t,s0)
++/usr/sbin/unbound-chkconf -- gen_context(system_u:object_r:named_exec_t,s0)
-/var/bind(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
-/var/bind/pri(/.*)? gen_context(system_u:object_r:named_zone_t,s0)
@@ -8923,7 +8945,7 @@ index 008f8ef..144c074 100644
admin_pattern($1, certmonger_var_run_t)
')
diff --git a/certmonger.te b/certmonger.te
-index 2354e21..dd34a80 100644
+index 2354e21..bec6c06 100644
--- a/certmonger.te
+++ b/certmonger.te
@@ -18,6 +18,9 @@ files_type(certmonger_var_lib_t)
@@ -8995,7 +9017,7 @@ index 2354e21..dd34a80 100644
')
optional_policy(`
-@@ -92,11 +103,47 @@ optional_policy(`
+@@ -92,11 +103,46 @@ optional_policy(`
')
optional_policy(`
@@ -9011,7 +9033,6 @@ index 2354e21..dd34a80 100644
')
optional_policy(`
-+ pcscd_read_pub_files(certmonger_t)
pcscd_read_pid_files(certmonger_t)
pcscd_stream_connect(certmonger_t)
')
@@ -11042,7 +11063,7 @@ index 8e27a37..fa2c3cb 100644
+ ps_process_pattern($1, colord_t)
+')
diff --git a/colord.te b/colord.te
-index 09f18e2..28dd440 100644
+index 09f18e2..6846284 100644
--- a/colord.te
+++ b/colord.te
@@ -8,6 +8,7 @@ policy_module(colord, 1.0.2)
@@ -11078,7 +11099,7 @@ index 09f18e2..28dd440 100644
manage_dirs_pattern(colord_t, colord_tmp_t, colord_tmp_t)
manage_files_pattern(colord_t, colord_tmp_t, colord_tmp_t)
-@@ -74,18 +81,15 @@ dev_read_video_dev(colord_t)
+@@ -74,22 +81,20 @@ dev_read_video_dev(colord_t)
dev_write_video_dev(colord_t)
dev_rw_printer(colord_t)
dev_read_rand(colord_t)
@@ -11098,20 +11119,38 @@ index 09f18e2..28dd440 100644
fs_list_noxattr_fs(colord_t)
fs_read_noxattr_fs_files(colord_t)
fs_search_all(colord_t)
-@@ -100,7 +104,11 @@ auth_use_nsswitch(colord_t)
+ fs_dontaudit_getattr_all_fs(colord_t)
++fs_getattr_tmpfs(colord_t)
+
+ storage_getattr_fixed_disk_dev(colord_t)
+ storage_getattr_removable_dev(colord_t)
+@@ -98,19 +103,15 @@ storage_write_scsi_generic(colord_t)
+
+ auth_use_nsswitch(colord_t)
++init_read_state(colord_t)
++
logging_send_syslog_msg(colord_t)
-miscfiles_read_localization(colord_t)
-+fs_getattr_tmpfs(colord_t)
++systemd_read_logind_sessions_files(colord_t)
+
+-tunable_policy(`use_nfs_home_dirs',`
+- fs_getattr_nfs(colord_t)
+- fs_read_nfs_files(colord_t)
+-')
+-
+-tunable_policy(`use_samba_home_dirs',`
+- fs_getattr_cifs(colord_t)
+- fs_read_cifs_files(colord_t)
+-')
+userdom_rw_user_tmpfs_files(colord_t)
-+
+userdom_home_reader(colord_t)
+userdom_read_inherited_user_home_content_files(colord_t)
- tunable_policy(`use_nfs_home_dirs',`
- fs_getattr_nfs(colord_t)
-@@ -120,6 +128,12 @@ optional_policy(`
+ optional_policy(`
+ cups_read_config(colord_t)
+@@ -120,6 +121,12 @@ optional_policy(`
')
optional_policy(`
@@ -11124,13 +11163,14 @@ index 09f18e2..28dd440 100644
policykit_dbus_chat(colord_t)
policykit_domtrans_auth(colord_t)
policykit_read_lib(colord_t)
-@@ -133,3 +147,13 @@ optional_policy(`
+@@ -133,3 +140,14 @@ optional_policy(`
optional_policy(`
udev_read_db(colord_t)
')
+
+optional_policy(`
+ xserver_dbus_chat_xdm(colord_t)
++ xserver_read_xdm_state(colord_t)
+ # /var/lib/gdm/.local/share/icc/edid-0a027915105823af34f99b1704e80336.icc
+ xserver_read_inherited_xdm_lib_files(colord_t)
+')
@@ -15881,7 +15921,7 @@ index dda905b..31f269b 100644
/var/named/chroot/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
+')
diff --git a/dbus.if b/dbus.if
-index afcf3a2..126d543 100644
+index afcf3a2..90299b3 100644
--- a/dbus.if
+++ b/dbus.if
@@ -1,4 +1,4 @@
@@ -16147,9 +16187,9 @@ index afcf3a2..126d543 100644
- type $1_dbusd_t;
- class dbus send_msg;
- ')
-
-- typeattribute $2 dbusd_session_bus_client;
-
+- typeattribute $2 dbusd_session_bus_client;
+
- allow $2 { $1_dbusd_t self }:dbus send_msg;
- allow $1_dbusd_t $2:dbus send_msg;
+ # For connecting to the bus
@@ -16461,7 +16501,7 @@ index afcf3a2..126d543 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -596,28 +466,30 @@ interface(`dbus_use_system_bus_fds',`
+@@ -596,28 +466,51 @@ interface(`dbus_use_system_bus_fds',`
## </summary>
## </param>
#
@@ -16499,6 +16539,27 @@ index afcf3a2..126d543 100644
- typeattribute $1 dbusd_unconfined;
+ dontaudit $1 session_bus_type:dbus send_msg;
++')
++
++########################################
++## <summary>
++## Do not audit attempts to send dbus
++## messages to system bus types.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`dbus_dontaudit_chat_system_bus',`
++ gen_require(`
++ attribute system_bus_type;
++ class dbus send_msg;
++ ')
++
++ dontaudit $1 system_bus_type:dbus send_msg;
++ dontaudit system_bus_type $1:dbus send_msg;
')
diff --git a/dbus.te b/dbus.te
index 2c2e7e1..4c346e6 100644
@@ -17536,7 +17597,7 @@ index d294865..3b4f593 100644
+ logging_log_filetrans($1, devicekit_var_log_t, file, "pm-suspend.log")
')
diff --git a/devicekit.te b/devicekit.te
-index ff933af..979a3de 100644
+index ff933af..41ca7ce 100644
--- a/devicekit.te
+++ b/devicekit.te
@@ -7,15 +7,15 @@ policy_module(devicekit, 1.2.1)
@@ -17671,7 +17732,18 @@ index ff933af..979a3de 100644
allow devicekit_power_t self:process { getsched signal_perms };
allow devicekit_power_t self:fifo_file rw_fifo_file_perms;
allow devicekit_power_t self:unix_dgram_socket create_socket_perms;
-@@ -242,17 +257,16 @@ domain_read_all_domains_state(devicekit_power_t)
+@@ -207,9 +222,7 @@ manage_dirs_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
+ manage_files_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
+ files_var_lib_filetrans(devicekit_power_t, devicekit_var_lib_t, dir)
+
+-allow devicekit_power_t devicekit_var_log_t:file append_file_perms;
+-allow devicekit_power_t devicekit_var_log_t:file create_file_perms;
+-allow devicekit_power_t devicekit_var_log_t:file setattr_file_perms;
++manage_files_pattern(devicekit_power_t, devicekit_var_log_t, devicekit_var_log_t)
+ logging_log_filetrans(devicekit_power_t, devicekit_var_log_t, file)
+
+ manage_dirs_pattern(devicekit_power_t, devicekit_var_run_t, devicekit_var_run_t)
+@@ -242,17 +255,16 @@ domain_read_all_domains_state(devicekit_power_t)
files_read_kernel_img(devicekit_power_t)
files_read_etc_runtime_files(devicekit_power_t)
@@ -17691,7 +17763,7 @@ index ff933af..979a3de 100644
sysnet_domtrans_ifconfig(devicekit_power_t)
sysnet_domtrans_dhcpc(devicekit_power_t)
-@@ -269,9 +283,11 @@ optional_policy(`
+@@ -269,9 +281,11 @@ optional_policy(`
optional_policy(`
cron_initrc_domtrans(devicekit_power_t)
@@ -17703,7 +17775,7 @@ index ff933af..979a3de 100644
dbus_system_bus_client(devicekit_power_t)
allow devicekit_power_t devicekit_t:dbus send_msg;
-@@ -302,8 +318,11 @@ optional_policy(`
+@@ -302,8 +316,11 @@ optional_policy(`
')
optional_policy(`
@@ -17716,7 +17788,7 @@ index ff933af..979a3de 100644
hal_manage_pid_dirs(devicekit_power_t)
hal_manage_pid_files(devicekit_power_t)
')
-@@ -341,3 +360,9 @@ optional_policy(`
+@@ -341,3 +358,9 @@ optional_policy(`
optional_policy(`
vbetool_domtrans(devicekit_power_t)
')
@@ -20323,10 +20395,20 @@ index 18f2452..a446210 100644
+
')
diff --git a/dspam.te b/dspam.te
-index 266cb8f..dbbe097 100644
+index 266cb8f..d606e12 100644
--- a/dspam.te
+++ b/dspam.te
-@@ -64,14 +64,33 @@ auth_use_nsswitch(dspam_t)
+@@ -28,6 +28,9 @@ files_pid_file(dspam_var_run_t)
+
+ allow dspam_t self:capability net_admin;
+ allow dspam_t self:process signal;
++
++allow dspam_t self:tcp_socket { listen accept };
++
+ allow dspam_t self:fifo_file rw_fifo_file_perms;
+ allow dspam_t self:unix_stream_socket { accept listen };
+
+@@ -64,14 +67,33 @@ auth_use_nsswitch(dspam_t)
logging_send_syslog_msg(dspam_t)
@@ -21226,28 +21308,49 @@ index 5cf6ac6..839999e 100644
+ allow $1 firewalld_unit_file_t:service all_service_perms;
')
diff --git a/firewalld.te b/firewalld.te
-index c8014f8..646818a 100644
+index c8014f8..95f0a0b 100644
--- a/firewalld.te
+++ b/firewalld.te
-@@ -21,6 +21,9 @@ logging_log_file(firewalld_var_log_t)
+@@ -21,11 +21,20 @@ logging_log_file(firewalld_var_log_t)
type firewalld_var_run_t;
files_pid_file(firewalld_var_run_t)
+type firewalld_unit_file_t;
+systemd_unit_file(firewalld_unit_file_t)
+
++type firewalld_tmp_t;
++files_tmp_file(firewalld_tmp_t)
++
++type firewalld_tmpfs_t;
++files_tmpfs_file(firewalld_tmpfs_t)
++
########################################
#
# Local policy
-@@ -42,6 +45,7 @@ logging_log_filetrans(firewalld_t, firewalld_var_log_t, file)
+ #
+-
++allow firewalld_t self:capability dac_override;
+ dontaudit firewalld_t self:capability sys_tty_config;
+ allow firewalld_t self:fifo_file rw_fifo_file_perms;
+ allow firewalld_t self:unix_stream_socket { accept listen };
+@@ -40,8 +49,16 @@ allow firewalld_t firewalld_var_log_t:file read_file_perms;
+ allow firewalld_t firewalld_var_log_t:file setattr_file_perms;
+ logging_log_filetrans(firewalld_t, firewalld_var_log_t, file)
++manage_files_pattern(firewalld_t, firewalld_tmp_t, firewalld_tmp_t)
++files_tmp_filetrans(firewalld_t, firewalld_tmp_t, file)
++
++manage_files_pattern(firewalld_t, firewalld_tmpfs_t, firewalld_tmpfs_t)
++fs_tmpfs_filetrans(firewalld_t, firewalld_tmpfs_t, file)
++allow firewalld_t firewalld_tmpfs_t:file execute;
++
manage_files_pattern(firewalld_t, firewalld_var_run_t, firewalld_var_run_t)
files_pid_filetrans(firewalld_t, firewalld_var_run_t, file)
+can_exec(firewalld_t, firewalld_var_run_t)
kernel_read_network_state(firewalld_t)
kernel_read_system_state(firewalld_t)
-@@ -53,20 +57,17 @@ dev_read_urand(firewalld_t)
+@@ -53,20 +70,17 @@ dev_read_urand(firewalld_t)
domain_use_interactive_fds(firewalld_t)
@@ -25615,7 +25718,7 @@ index 180f1b7..951b790 100644
+ userdom_user_home_dir_filetrans($1, gpg_secret_t, dir, ".gnupg")
+')
diff --git a/gpg.te b/gpg.te
-index 44cf341..d80e7c0 100644
+index 44cf341..391e8e6 100644
--- a/gpg.te
+++ b/gpg.te
@@ -1,47 +1,47 @@
@@ -25834,7 +25937,7 @@ index 44cf341..d80e7c0 100644
optional_policy(`
- mozilla_dontaudit_rw_user_home_files(gpg_t)
-+ gnome_read_config(gpg_t)
++ gnome_manage_config(gpg_t)
+ gnome_stream_connect_gkeyringd(gpg_t)
')
@@ -31393,7 +31496,7 @@ index 7bab8e5..3a2c50c 100644
logging_read_all_logs(logrotate_mail_t)
+manage_files_pattern(logrotate_mail_t, logrotate_tmp_t, logrotate_tmp_t)
diff --git a/logwatch.te b/logwatch.te
-index 4256a4c..720b6cb 100644
+index 4256a4c..2d6adaf 100644
--- a/logwatch.te
+++ b/logwatch.te
@@ -7,7 +7,8 @@ policy_module(logwatch, 1.11.6)
@@ -31434,7 +31537,7 @@ index 4256a4c..720b6cb 100644
mta_sendmail_domtrans(logwatch_t, logwatch_mail_t)
mta_getattr_spool(logwatch_t)
-@@ -164,6 +165,8 @@ dev_read_sysfs(logwatch_mail_t)
+@@ -164,6 +165,12 @@ dev_read_sysfs(logwatch_mail_t)
logging_read_all_logs(logwatch_mail_t)
@@ -31443,6 +31546,10 @@ index 4256a4c..720b6cb 100644
optional_policy(`
cron_use_system_job_fds(logwatch_mail_t)
')
++
++optional_policy(`
++ courier_stream_connect_authdaemon(logwatch_mail_t)
++')
diff --git a/lpd.fc b/lpd.fc
index 2fb9b2e..08974e3 100644
--- a/lpd.fc
@@ -32451,7 +32558,7 @@ index 2de0f64..85c3827 100644
+
+/var/lock/man-db\.lock -- gen_context(system_u:object_r:mandb_lock_t,s0)
diff --git a/mandb.if b/mandb.if
-index 327f3f7..65bfa15 100644
+index 327f3f7..8d5841f 100644
--- a/mandb.if
+++ b/mandb.if
@@ -1,14 +1,14 @@
@@ -32594,7 +32701,7 @@ index 327f3f7..65bfa15 100644
')
########################################
-@@ -99,37 +129,60 @@ interface(`mandb_read_cache_content',`
+@@ -99,37 +129,63 @@ interface(`mandb_read_cache_content',`
## </summary>
## </param>
#
@@ -32649,7 +32756,7 @@ index 327f3f7..65bfa15 100644
gen_require(`
- type mandb_t, mandb_cache_t;
+ type mandb_t;
-+ type mandb_cache_t;
++ type mandb_cache_t, mandb_lock_t;
')
allow $1 mandb_t:process { ptrace signal_perms };
@@ -32658,6 +32765,9 @@ index 327f3f7..65bfa15 100644
- mandb_run($1, $2)
+ files_search_var($1)
+ admin_pattern($1, mandb_cache_t)
++
++ files_search_locks($1)
++ admin_pattern($1, mandb_lock_t)
- # pending
- # miscfiles_manage_man_cache_content(mandb_t)
@@ -39288,6 +39398,231 @@ index 9f6179e..dfa6623 100644
-userdom_search_user_home_dirs(mysqlmanagerd_t)
+userdom_getattr_user_home_dirs(mysqlmanagerd_t)
+diff --git a/mythtv.fc b/mythtv.fc
+new file mode 100644
+index 0000000..3a1c423
+--- /dev/null
++++ b/mythtv.fc
+@@ -0,0 +1,9 @@
++/usr/share/mythweb/mythweb\.pl -- gen_context(system_u:object_r:httpd_mythtv_script_exec_t,s0)
++
++/var/lib/mythtv(/.*)? gen_context(system_u:object_r:mythtv_var_lib_t,s0)
++
++/var/log/mythtv(/.*)? gen_context(system_u:object_r:mythtv_var_log_t,s0)
++
++/usr/share/mythtv(/.*)? gen_context(system_u:object_r:httpd_mythtv_content_t,s0)
++/usr/share/mythweb(/.*)? gen_context(system_u:object_r:httpd_mythtv_content_t,s0)
++/usr/share/mythtv/mythweather/scripts(/.*)? gen_context(system_u:object_r:httpd_mythtv_script_exec_t,s0)
+diff --git a/mythtv.if b/mythtv.if
+new file mode 100644
+index 0000000..6ad142d
+--- /dev/null
++++ b/mythtv.if
+@@ -0,0 +1,157 @@
++
++## <summary>policy for httpd_mythtv_script</summary>
++
++########################################
++## <summary>
++## Execute TEMPLATE in the httpd_mythtv_script domin.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`httpd_mythtv_script_domtrans',`
++ gen_require(`
++ type httpd_mythtv_script_t, httpd_mythtv_script_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, httpd_mythtv_script_exec_t, httpd_mythtv_script_t)
++')
++
++#######################################
++## <summary>
++## read mythtv libs.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`mythtv_read_lib',`
++ gen_require(`
++ type mythtv_var_lib_t;
++ ')
++
++ read_files_pattern($1, mythtv_var_lib_t, mythtv_var_lib_t)
++ files_list_var_lib($1)
++')
++
++#######################################
++## <summary>
++## Create, read, write, and delete
++## mythtv lib content.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`mythtv_manage_lib',`
++ gen_require(`
++ type mythtv_var_lib_t;
++ ')
++
++ manage_files_pattern($1, mythtv_var_lib_t, mythtv_var_lib_t)
++ manage_lnk_files_pattern($1, mythtv_var_lib_t, mythtv_var_lib_t)
++ files_list_var_lib($1)
++')
++
++#######################################
++## <summary>
++## read mythtv logs.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`mythtv_read_log',`
++ gen_require(`
++ type mythtv_var_log_t;
++ ')
++
++ read_files_pattern($1, mythtv_var_log_t, mythtv_var_log_t)
++ logging_search_logs($1)
++')
++
++#######################################
++## <summary>
++## Append mythtv log files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`mythtv_append_log',`
++ gen_require(`
++ type mythtv_var_log_t;
++ ')
++
++ append_files_pattern($1, mythtv_var_log_t, mythtv_var_log_t)
++ logging_search_logs($1)
++')
++
++#######################################
++## <summary>
++## Create, read, write, and delete
++## mythtv log content.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`mythtv_manage_log',`
++ gen_require(`
++ type mythtv_var_log_t;
++ ')
++
++ manage_files_pattern($1, mythtv_var_log_t, mythtv_var_log_t)
++ manage_lnk_files_pattern($1, mythtv_var_log_t, mythtv_var_log_t)
++ logging_search_logs($1)
++')
++
++########################################
++## <summary>
++## All of the rules required to
++## administrate an mythtv environment.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## Role allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`mythtv_admin',`
++ gen_require(`
++ type httpd_mythtv_script_t, mythtv_var_lib_t;
++ type mythtv_var_log_t;
++ ')
++
++ allow $1 httpd_mythtv_script_t:process signal_perms;
++ ps_process_pattern($1, httpd_mythtv_script_t)
++
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 httpd_mythtv_script_t:process ptrace;
++ ')
++
++ logging_list_logs($1)
++ admin_pattern($1, mythtv_var_log_t)
++
++ files_list_var_lib($1)
++ admin_pattern($1, mythtv_var_lib_t)
++')
+diff --git a/mythtv.te b/mythtv.te
+new file mode 100644
+index 0000000..90129ac
+--- /dev/null
++++ b/mythtv.te
+@@ -0,0 +1,41 @@
++policy_module(mythtv, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++apache_content_template(mythtv)
++
++type mythtv_var_lib_t;
++files_type(mythtv_var_lib_t)
++
++type mythtv_var_log_t;
++logging_log_file(mythtv_var_log_t)
++
++########################################
++#
++# httpd_mythtv_script local policy
++#
++
++manage_files_pattern(httpd_mythtv_script_t, mythtv_var_lib_t, mythtv_var_lib_t)
++manage_dirs_pattern(httpd_mythtv_script_t, mythtv_var_lib_t, mythtv_var_lib_t)
++files_var_lib_filetrans(httpd_mythtv_script_t, mythtv_var_lib_t, { dir file })
++
++manage_files_pattern(httpd_mythtv_script_t, mythtv_var_log_t, mythtv_var_log_t)
++manage_dirs_pattern(httpd_mythtv_script_t, mythtv_var_log_t, mythtv_var_log_t)
++logging_log_filetrans(httpd_mythtv_script_t, mythtv_var_log_t, file )
++
++domain_use_interactive_fds(httpd_mythtv_script_t)
++
++files_read_etc_files(httpd_mythtv_script_t)
++
++fs_read_nfs_files(httpd_mythtv_script_t)
++
++miscfiles_read_localization(httpd_mythtv_script_t)
++
++optional_policy(`
++ mysql_read_config(httpd_mythtv_script_t)
++ mysql_stream_connect(httpd_mythtv_script_t)
++ mysql_tcp_connect(httpd_mythtv_script_t)
++')
diff --git a/nagios.fc b/nagios.fc
index d78dfc3..d80b4db 100644
--- a/nagios.fc
@@ -56188,7 +56523,7 @@ index 7cb8b1f..b7b5ee7 100644
+ allow $1 puppet_var_run_t:dir search_dir_perms;
')
diff --git a/puppet.te b/puppet.te
-index f2309f4..b3f151c 100644
+index f2309f4..a375475 100644
--- a/puppet.te
+++ b/puppet.te
@@ -1,4 +1,4 @@
@@ -56603,7 +56938,7 @@ index f2309f4..b3f151c 100644
optional_policy(`
- mysql_stream_connect(puppetmaster_t)
-+ gnomeclock_dbus_chat(puppetmaster_t)
++ systemd_dbus_chat_timedated(puppetmaster_t)
')
optional_policy(`
@@ -59823,7 +60158,7 @@ index 951db7f..db0d815 100644
+ allow $1 mdadm_var_run_t:file manage_file_perms;
')
diff --git a/raid.te b/raid.te
-index 2c1730b..43e7487 100644
+index 2c1730b..d9f7a3a 100644
--- a/raid.te
+++ b/raid.te
@@ -26,7 +26,7 @@ dev_associate(mdadm_var_run_t)
@@ -59835,7 +60170,7 @@ index 2c1730b..43e7487 100644
allow mdadm_t self:fifo_file rw_fifo_file_perms;
allow mdadm_t self:netlink_kobject_uevent_socket create_socket_perms;
-@@ -34,8 +34,8 @@ manage_dirs_pattern(mdadm_t, mdadm_var_run_t, mdadm_var_run_t)
+@@ -34,14 +34,15 @@ manage_dirs_pattern(mdadm_t, mdadm_var_run_t, mdadm_var_run_t)
manage_files_pattern(mdadm_t, mdadm_var_run_t, mdadm_var_run_t)
manage_lnk_files_pattern(mdadm_t, mdadm_var_run_t, mdadm_var_run_t)
manage_sock_files_pattern(mdadm_t, mdadm_var_run_t, mdadm_var_run_t)
@@ -59846,7 +60181,14 @@ index 2c1730b..43e7487 100644
kernel_getattr_core_if(mdadm_t)
kernel_read_system_state(mdadm_t)
-@@ -51,17 +51,19 @@ dev_dontaudit_getattr_all_blk_files(mdadm_t)
+ kernel_read_kernel_sysctls(mdadm_t)
+ kernel_request_load_module(mdadm_t)
+ kernel_rw_software_raid_state(mdadm_t)
++kernel_setsched(mdadm_t)
+
+ corecmd_exec_bin(mdadm_t)
+ corecmd_exec_shell(mdadm_t)
+@@ -51,17 +52,19 @@ dev_dontaudit_getattr_all_blk_files(mdadm_t)
dev_dontaudit_getattr_all_chr_files(mdadm_t)
dev_read_realtime_clock(mdadm_t)
dev_read_raw_memory(mdadm_t)
@@ -59868,7 +60210,7 @@ index 2c1730b..43e7487 100644
mls_file_read_all_levels(mdadm_t)
mls_file_write_all_levels(mdadm_t)
-@@ -74,12 +76,12 @@ storage_write_scsi_generic(mdadm_t)
+@@ -74,12 +77,12 @@ storage_write_scsi_generic(mdadm_t)
term_dontaudit_list_ptys(mdadm_t)
term_dontaudit_use_unallocated_ttys(mdadm_t)
@@ -62692,13 +63034,15 @@ index 6dbc905..92aac94 100644
- admin_pattern($1, rhsmcertd_lock_t)
')
diff --git a/rhsmcertd.te b/rhsmcertd.te
-index 1cedd70..48fec17 100644
+index 1cedd70..f8ae4cc 100644
--- a/rhsmcertd.te
+++ b/rhsmcertd.te
-@@ -31,6 +31,7 @@ files_pid_file(rhsmcertd_var_run_t)
+@@ -30,7 +30,8 @@ files_pid_file(rhsmcertd_var_run_t)
+ #
allow rhsmcertd_t self:capability sys_nice;
- allow rhsmcertd_t self:process { signal setsched };
+-allow rhsmcertd_t self:process { signal setsched };
++allow rhsmcertd_t self:process { signal_perms setsched };
+
allow rhsmcertd_t self:fifo_file rw_fifo_file_perms;
allow rhsmcertd_t self:unix_stream_socket create_stream_socket_perms;
@@ -63858,7 +64202,7 @@ index 3bd6446..a61764b 100644
+ allow $1 var_lib_nfs_t:file relabel_file_perms;
')
diff --git a/rpc.te b/rpc.te
-index e5212e6..43a888d 100644
+index e5212e6..66ec108 100644
--- a/rpc.te
+++ b/rpc.te
@@ -1,4 +1,4 @@
@@ -64205,15 +64549,6 @@ index e5212e6..43a888d 100644
')
optional_policy(`
-@@ -315,7 +277,7 @@ optional_policy(`
- ')
-
- optional_policy(`
-- pcscd_read_pid_files(gssd_t)
-+ pcscd_read_pub_files(gssd_t)
- ')
-
- optional_policy(`
diff --git a/rpcbind.if b/rpcbind.if
index 3b5e9ee..ff1163f 100644
--- a/rpcbind.if
@@ -65029,7 +65364,7 @@ index 0628d50..bedc8ae 100644
+ allow rpm_script_t $1:process sigchld;
')
diff --git a/rpm.te b/rpm.te
-index 5cbe81c..b86d966 100644
+index 5cbe81c..a29e4d0 100644
--- a/rpm.te
+++ b/rpm.te
@@ -1,15 +1,11 @@
@@ -65418,7 +65753,7 @@ index 5cbe81c..b86d966 100644
ifdef(`distro_redhat',`
optional_policy(`
-@@ -363,24 +375,24 @@ ifdef(`distro_redhat',`
+@@ -363,24 +375,28 @@ ifdef(`distro_redhat',`
')
')
@@ -65434,13 +65769,17 @@ index 5cbe81c..b86d966 100644
optional_policy(`
- dbus_system_bus_client(rpm_script_t)
-+ cups_filetrans_named_content(rpm_script_t)
++ certmonger_dbus_chat(rpm_script_t)
+')
- optional_policy(`
- unconfined_dbus_chat(rpm_script_t)
- ')
+optional_policy(`
++ cups_filetrans_named_content(rpm_script_t)
++')
++
++optional_policy(`
+ dbus_system_bus_client(rpm_script_t)
')
@@ -65450,7 +65789,7 @@ index 5cbe81c..b86d966 100644
')
optional_policy(`
-@@ -388,8 +400,17 @@ optional_policy(`
+@@ -388,8 +404,17 @@ optional_policy(`
')
optional_policy(`
@@ -65470,7 +65809,7 @@ index 5cbe81c..b86d966 100644
')
optional_policy(`
-@@ -397,6 +418,7 @@ optional_policy(`
+@@ -397,6 +422,7 @@ optional_policy(`
')
optional_policy(`
@@ -65478,7 +65817,7 @@ index 5cbe81c..b86d966 100644
unconfined_domtrans(rpm_script_t)
optional_policy(`
-@@ -409,6 +431,6 @@ optional_policy(`
+@@ -409,6 +435,6 @@ optional_policy(`
')
optional_policy(`
@@ -67158,7 +67497,7 @@ index aee75af..a6bab06 100644
+ allow $1 samba_unit_file_t:service all_service_perms;
')
diff --git a/samba.te b/samba.te
-index 57c034b..27fd4cd 100644
+index 57c034b..89b9b6a 100644
--- a/samba.te
+++ b/samba.te
@@ -1,4 +1,4 @@
@@ -67408,7 +67747,7 @@ index 57c034b..27fd4cd 100644
dev_read_urand(samba_net_t)
-@@ -229,54 +219,60 @@ auth_manage_cache(samba_net_t)
+@@ -229,15 +219,16 @@ auth_manage_cache(samba_net_t)
logging_send_syslog_msg(samba_net_t)
@@ -67429,9 +67768,7 @@ index 57c034b..27fd4cd 100644
')
optional_policy(`
-- pcscd_read_pid_files(samba_net_t)
-+ pcscd_read_pub_files(samba_net_t)
- ')
+@@ -246,37 +237,42 @@ optional_policy(`
optional_policy(`
kerberos_use(samba_net_t)
@@ -72207,7 +72544,7 @@ index e0644b5..ea347cc 100644
domain_system_change_exemption($1)
role_transition $2 fsdaemon_initrc_exec_t system_r;
diff --git a/smartmon.te b/smartmon.te
-index 9ade9c5..90cb567 100644
+index 9ade9c5..efefceb 100644
--- a/smartmon.te
+++ b/smartmon.te
@@ -60,21 +60,27 @@ kernel_read_system_state(fsdaemon_t)
@@ -72249,7 +72586,7 @@ index 9ade9c5..90cb567 100644
init_read_utmp(fsdaemon_t)
libs_exec_ld_so(fsdaemon_t)
-@@ -92,7 +100,7 @@ libs_exec_lib_files(fsdaemon_t)
+@@ -92,12 +100,13 @@ libs_exec_lib_files(fsdaemon_t)
logging_send_syslog_msg(fsdaemon_t)
@@ -72258,7 +72595,13 @@ index 9ade9c5..90cb567 100644
sysnet_dns_name_resolve(fsdaemon_t)
-@@ -116,9 +124,9 @@ optional_policy(`
+ userdom_dontaudit_use_unpriv_user_fds(fsdaemon_t)
+ userdom_dontaudit_search_user_home_dirs(fsdaemon_t)
++userdom_use_user_ptys(fsdaemon_t)
+
+ tunable_policy(`smartmon_3ware',`
+ allow fsdaemon_t self:process setfscreate;
+@@ -116,9 +125,9 @@ optional_policy(`
')
optional_policy(`
@@ -81908,10 +82251,10 @@ index 9dec06c..d8a2b54 100644
+ allow svirt_lxc_domain $1:process sigchld;
')
diff --git a/virt.te b/virt.te
-index 1f22fba..eaf5bf9 100644
+index 1f22fba..c566b8b 100644
--- a/virt.te
+++ b/virt.te
-@@ -1,94 +1,105 @@
+@@ -1,94 +1,98 @@
-policy_module(virt, 1.6.10)
+policy_module(virt, 1.5.0)
@@ -81998,11 +82341,12 @@ index 1f22fba..eaf5bf9 100644
-## Determine whether confined virtual guests
-## can manage device configuration.
-## </p>
-+## <p>
-+## Allow confined virtual guests to manage device configuration, (pci)
-+## </p>
++## <p>
++## Allow confined virtual guests to interact with the sanlock
++## </p>
## </desc>
- gen_tunable(virt_use_sysfs, false)
+-gen_tunable(virt_use_sysfs, false)
++gen_tunable(virt_use_sanlock, false)
## <desc>
-## <p>
@@ -82010,38 +82354,31 @@ index 1f22fba..eaf5bf9 100644
-## can use usb devices.
-## </p>
+## <p>
-+## Allow confined virtual guests to interact with the sanlock
++## Allow confined virtual guests to interact with rawip sockets
+## </p>
## </desc>
-gen_tunable(virt_use_usb, false)
-+gen_tunable(virt_use_sanlock, false)
++gen_tunable(virt_use_rawip, false)
## <desc>
-## <p>
-## Determine whether confined virtual guests
-## can interact with xserver.
-## </p>
-+## <p>
-+## Allow confined virtual guests to interact with rawip sockets
-+## </p>
++## <p>
++## Allow confined virtual guests to interact with the xserver
++## </p>
## </desc>
--gen_tunable(virt_use_xserver, false)
--
+ gen_tunable(virt_use_xserver, false)
+
-attribute virt_ptynode;
-attribute virt_domain;
-attribute virt_image_type;
-attribute virt_tmp_type;
-attribute virt_tmpfs_type;
-+gen_tunable(virt_use_rawip, false)
-
+-
-attribute svirt_lxc_domain;
-+## <desc>
-+## <p>
-+## Allow confined virtual guests to interact with the xserver
-+## </p>
-+## </desc>
-+gen_tunable(virt_use_xserver, false)
-
+-
-attribute_role virt_domain_roles;
-roleattribute system_r virt_domain_roles;
+## <desc>
@@ -82068,7 +82405,7 @@ index 1f22fba..eaf5bf9 100644
type virt_cache_t alias svirt_cache_t;
files_type(virt_cache_t)
-@@ -105,27 +116,25 @@ userdom_user_home_content(virt_home_t)
+@@ -105,27 +109,25 @@ userdom_user_home_content(virt_home_t)
type svirt_home_t;
userdom_user_home_content(svirt_home_t)
@@ -82102,7 +82439,7 @@ index 1f22fba..eaf5bf9 100644
type virt_var_run_t;
files_pid_file(virt_var_run_t)
-@@ -139,9 +148,17 @@ init_daemon_domain(virtd_t, virtd_exec_t)
+@@ -139,9 +141,17 @@ init_daemon_domain(virtd_t, virtd_exec_t)
domain_obj_id_change_exemption(virtd_t)
domain_subj_id_change_exemption(virtd_t)
@@ -82120,7 +82457,7 @@ index 1f22fba..eaf5bf9 100644
ifdef(`enable_mcs',`
init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh)
')
-@@ -155,251 +172,82 @@ type virt_qmf_exec_t;
+@@ -155,251 +165,82 @@ type virt_qmf_exec_t;
init_daemon_domain(virt_qmf_t, virt_qmf_exec_t)
type virt_bridgehelper_t;
@@ -82208,7 +82545,9 @@ index 1f22fba..eaf5bf9 100644
-append_files_pattern(virt_domain, virt_log_t, virt_log_t)
-
-append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t)
--
++# it was a part of auth_use_nsswitch
++allow svirt_t self:netlink_route_socket r_netlink_socket_perms;
+
-kernel_read_system_state(virt_domain)
-
-fs_getattr_xattr_fs(virt_domain)
@@ -82335,9 +82674,7 @@ index 1f22fba..eaf5bf9 100644
- xserver_stream_connect(virt_domain)
- ')
-')
-+# it was a part of auth_use_nsswitch
-+allow svirt_t self:netlink_route_socket r_netlink_socket_perms;
-
+-
-optional_policy(`
- dbus_read_lib_files(virt_domain)
-')
@@ -82381,9 +82718,7 @@ index 1f22fba..eaf5bf9 100644
-manage_dirs_pattern(svirt_t, svirt_home_t, svirt_home_t)
-manage_files_pattern(svirt_t, svirt_home_t, svirt_home_t)
-manage_sock_files_pattern(svirt_t, svirt_home_t, svirt_home_t)
-+allow svirt_tcg_t self:process { execmem execstack };
-+allow svirt_tcg_t self:netlink_route_socket r_netlink_socket_perms;
-
+-
-filetrans_pattern(svirt_t, virt_home_t, svirt_home_t, dir, "qemu")
-
-stream_connect_pattern(svirt_t, svirt_home_t, svirt_home_t, virtd_t)
@@ -82407,7 +82742,9 @@ index 1f22fba..eaf5bf9 100644
-corenet_sendrecv_all_server_packets(svirt_t)
-corenet_udp_bind_all_ports(svirt_t)
-corenet_tcp_bind_all_ports(svirt_t)
--
++allow svirt_tcg_t self:process { execmem execstack };
++allow svirt_tcg_t self:netlink_route_socket r_netlink_socket_perms;
+
-corenet_sendrecv_all_client_packets(svirt_t)
-corenet_tcp_connect_all_ports(svirt_t)
+corenet_udp_sendrecv_generic_if(svirt_tcg_t)
@@ -82420,7 +82757,7 @@ index 1f22fba..eaf5bf9 100644
########################################
#
-@@ -407,38 +255,41 @@ corenet_tcp_connect_all_ports(svirt_t)
+@@ -407,38 +248,41 @@ corenet_tcp_connect_all_ports(svirt_t)
#
allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice };
@@ -82481,7 +82818,7 @@ index 1f22fba..eaf5bf9 100644
read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
-@@ -448,42 +299,28 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
+@@ -448,42 +292,28 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
@@ -82527,7 +82864,7 @@ index 1f22fba..eaf5bf9 100644
logging_log_filetrans(virtd_t, virt_log_t, { file dir })
manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
-@@ -496,16 +333,11 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
+@@ -496,16 +326,11 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
@@ -82537,18 +82874,18 @@ index 1f22fba..eaf5bf9 100644
-
-stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t)
-stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
--
--can_exec(virtd_t, virt_tmp_t)
+manage_dirs_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
+manage_files_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
+filetrans_pattern(virtd_t, virt_var_run_t, virt_lxc_var_run_t, dir, "lxc")
+stream_connect_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t, virtd_lxc_t)
+-can_exec(virtd_t, virt_tmp_t)
+-
-kernel_read_crypto_sysctls(virtd_t)
kernel_read_system_state(virtd_t)
kernel_read_network_state(virtd_t)
kernel_rw_net_sysctls(virtd_t)
-@@ -520,22 +352,12 @@ corecmd_exec_shell(virtd_t)
+@@ -520,22 +345,12 @@ corecmd_exec_shell(virtd_t)
corenet_all_recvfrom_netlabel(virtd_t)
corenet_tcp_sendrecv_generic_if(virtd_t)
corenet_tcp_sendrecv_generic_node(virtd_t)
@@ -82572,7 +82909,7 @@ index 1f22fba..eaf5bf9 100644
corenet_rw_tun_tap_dev(virtd_t)
dev_rw_sysfs(virtd_t)
-@@ -548,22 +370,22 @@ dev_rw_vhost(virtd_t)
+@@ -548,22 +363,22 @@ dev_rw_vhost(virtd_t)
dev_setattr_generic_usb_dev(virtd_t)
dev_relabel_generic_usb_dev(virtd_t)
@@ -82600,7 +82937,7 @@ index 1f22fba..eaf5bf9 100644
fs_rw_anon_inodefs_files(virtd_t)
fs_list_inotifyfs(virtd_t)
fs_manage_cgroup_dirs(virtd_t)
-@@ -594,15 +416,18 @@ term_use_ptmx(virtd_t)
+@@ -594,15 +409,18 @@ term_use_ptmx(virtd_t)
auth_use_nsswitch(virtd_t)
@@ -82620,7 +82957,7 @@ index 1f22fba..eaf5bf9 100644
selinux_validate_context(virtd_t)
-@@ -613,18 +438,24 @@ seutil_read_file_contexts(virtd_t)
+@@ -613,18 +431,24 @@ seutil_read_file_contexts(virtd_t)
sysnet_signull_ifconfig(virtd_t)
sysnet_signal_ifconfig(virtd_t)
sysnet_domtrans_ifconfig(virtd_t)
@@ -82655,7 +82992,7 @@ index 1f22fba..eaf5bf9 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virtd_t)
-@@ -633,7 +464,7 @@ tunable_policy(`virt_use_nfs',`
+@@ -633,7 +457,7 @@ tunable_policy(`virt_use_nfs',`
')
tunable_policy(`virt_use_samba',`
@@ -82664,7 +83001,7 @@ index 1f22fba..eaf5bf9 100644
fs_manage_cifs_files(virtd_t)
fs_read_cifs_symlinks(virtd_t)
')
-@@ -646,107 +477,330 @@ optional_policy(`
+@@ -646,107 +470,326 @@ optional_policy(`
consoletype_exec(virtd_t)
')
@@ -82773,6 +83110,7 @@ index 1f22fba..eaf5bf9 100644
+#
+# virtual domains common policy
+#
++allow virt_domain self:capability2 compromise_kernel;
+allow virt_domain self:process { signal getsched signull };
+allow virt_domain self:fifo_file rw_fifo_file_perms;
+allow virt_domain self:shm create_shm_perms;
@@ -82986,11 +83324,6 @@ index 1f22fba..eaf5bf9 100644
+ fs_getattr_cifs(virt_domain)
+')
+
-+tunable_policy(`virt_use_sysfs',`
-+ allow svirt_t self:capability2 compromise_kernel;
-+ dev_rw_sysfs(virt_domain)
-+')
-+
+tunable_policy(`virt_use_usb',`
+ dev_rw_usbfs(virt_domain)
+ dev_read_sysfs(virt_domain)
@@ -83052,7 +83385,7 @@ index 1f22fba..eaf5bf9 100644
manage_files_pattern(virsh_t, virt_image_type, virt_image_type)
manage_blk_files_pattern(virsh_t, virt_image_type, virt_image_type)
-@@ -758,23 +812,14 @@ manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
+@@ -758,23 +801,14 @@ manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
manage_lnk_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
manage_sock_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
manage_fifo_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
@@ -83081,7 +83414,7 @@ index 1f22fba..eaf5bf9 100644
kernel_read_system_state(virsh_t)
kernel_read_network_state(virsh_t)
kernel_read_kernel_sysctls(virsh_t)
-@@ -785,25 +830,18 @@ kernel_write_xen_state(virsh_t)
+@@ -785,25 +819,18 @@ kernel_write_xen_state(virsh_t)
corecmd_exec_bin(virsh_t)
corecmd_exec_shell(virsh_t)
@@ -83108,7 +83441,7 @@ index 1f22fba..eaf5bf9 100644
fs_getattr_all_fs(virsh_t)
fs_manage_xenfs_dirs(virsh_t)
-@@ -812,24 +850,21 @@ fs_search_auto_mountpoints(virsh_t)
+@@ -812,24 +839,21 @@ fs_search_auto_mountpoints(virsh_t)
storage_raw_read_fixed_disk(virsh_t)
@@ -83139,7 +83472,7 @@ index 1f22fba..eaf5bf9 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virsh_t)
fs_manage_nfs_files(virsh_t)
-@@ -847,6 +882,10 @@ optional_policy(`
+@@ -847,6 +871,10 @@ optional_policy(`
')
optional_policy(`
@@ -83150,7 +83483,7 @@ index 1f22fba..eaf5bf9 100644
rpm_exec(virsh_t)
')
-@@ -854,7 +893,7 @@ optional_policy(`
+@@ -854,7 +882,7 @@ optional_policy(`
xen_manage_image_dirs(virsh_t)
xen_append_log(virsh_t)
xen_domtrans(virsh_t)
@@ -83159,7 +83492,7 @@ index 1f22fba..eaf5bf9 100644
xen_stream_connect(virsh_t)
xen_stream_connect_xenstore(virsh_t)
')
-@@ -879,34 +918,39 @@ optional_policy(`
+@@ -879,34 +907,39 @@ optional_policy(`
kernel_read_xen_state(virsh_ssh_t)
kernel_write_xen_state(virsh_ssh_t)
@@ -83209,7 +83542,7 @@ index 1f22fba..eaf5bf9 100644
manage_dirs_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
manage_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
-@@ -916,12 +960,15 @@ manage_sock_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
+@@ -916,12 +949,15 @@ manage_sock_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
manage_fifo_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
allow virtd_lxc_t svirt_lxc_file_t:dir_file_class_set { relabelto relabelfrom };
allow virtd_lxc_t svirt_lxc_file_t:filesystem { relabelto relabelfrom };
@@ -83225,7 +83558,7 @@ index 1f22fba..eaf5bf9 100644
corecmd_exec_bin(virtd_lxc_t)
corecmd_exec_shell(virtd_lxc_t)
-@@ -933,10 +980,8 @@ dev_read_urand(virtd_lxc_t)
+@@ -933,10 +969,8 @@ dev_read_urand(virtd_lxc_t)
domain_use_interactive_fds(virtd_lxc_t)
@@ -83236,7 +83569,7 @@ index 1f22fba..eaf5bf9 100644
files_relabel_rootfs(virtd_lxc_t)
files_mounton_non_security(virtd_lxc_t)
files_mount_all_file_type_fs(virtd_lxc_t)
-@@ -955,15 +1000,11 @@ fs_rw_cgroup_files(virtd_lxc_t)
+@@ -955,15 +989,11 @@ fs_rw_cgroup_files(virtd_lxc_t)
fs_unmount_all_fs(virtd_lxc_t)
fs_relabelfrom_tmpfs(virtd_lxc_t)
@@ -83255,7 +83588,7 @@ index 1f22fba..eaf5bf9 100644
term_use_generic_ptys(virtd_lxc_t)
term_use_ptmx(virtd_lxc_t)
-@@ -973,20 +1014,38 @@ auth_use_nsswitch(virtd_lxc_t)
+@@ -973,20 +1003,38 @@ auth_use_nsswitch(virtd_lxc_t)
logging_send_syslog_msg(virtd_lxc_t)
@@ -83300,7 +83633,7 @@ index 1f22fba..eaf5bf9 100644
allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid };
allow svirt_lxc_domain self:fifo_file manage_file_perms;
allow svirt_lxc_domain self:sem create_sem_perms;
-@@ -995,19 +1054,6 @@ allow svirt_lxc_domain self:msgq create_msgq_perms;
+@@ -995,19 +1043,6 @@ allow svirt_lxc_domain self:msgq create_msgq_perms;
allow svirt_lxc_domain self:unix_stream_socket { create_stream_socket_perms connectto };
allow svirt_lxc_domain self:unix_dgram_socket { sendto create_socket_perms };
@@ -83320,7 +83653,7 @@ index 1f22fba..eaf5bf9 100644
manage_dirs_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
manage_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
manage_lnk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
-@@ -1015,17 +1061,14 @@ manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
+@@ -1015,17 +1050,14 @@ manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
manage_fifo_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
rw_chr_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
rw_blk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
@@ -83339,7 +83672,7 @@ index 1f22fba..eaf5bf9 100644
kernel_dontaudit_search_kernel_sysctl(svirt_lxc_domain)
corecmd_exec_all_executables(svirt_lxc_domain)
-@@ -1037,21 +1080,20 @@ files_dontaudit_getattr_all_pipes(svirt_lxc_domain)
+@@ -1037,21 +1069,20 @@ files_dontaudit_getattr_all_pipes(svirt_lxc_domain)
files_dontaudit_getattr_all_sockets(svirt_lxc_domain)
files_dontaudit_list_all_mountpoints(svirt_lxc_domain)
files_dontaudit_write_etc_runtime_files(svirt_lxc_domain)
@@ -83366,7 +83699,7 @@ index 1f22fba..eaf5bf9 100644
auth_dontaudit_read_login_records(svirt_lxc_domain)
auth_dontaudit_write_login_records(svirt_lxc_domain)
auth_search_pam_console_data(svirt_lxc_domain)
-@@ -1063,11 +1105,14 @@ init_dontaudit_write_utmp(svirt_lxc_domain)
+@@ -1063,11 +1094,14 @@ init_dontaudit_write_utmp(svirt_lxc_domain)
libs_dontaudit_setattr_lib_files(svirt_lxc_domain)
@@ -83383,7 +83716,7 @@ index 1f22fba..eaf5bf9 100644
optional_policy(`
udev_read_pid_files(svirt_lxc_domain)
-@@ -1078,81 +1123,63 @@ optional_policy(`
+@@ -1078,81 +1112,63 @@ optional_policy(`
apache_read_sys_content(svirt_lxc_domain)
')
@@ -83488,7 +83821,7 @@ index 1f22fba..eaf5bf9 100644
allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
-@@ -1165,12 +1192,12 @@ dev_read_sysfs(virt_qmf_t)
+@@ -1165,12 +1181,12 @@ dev_read_sysfs(virt_qmf_t)
dev_read_rand(virt_qmf_t)
dev_read_urand(virt_qmf_t)
@@ -83503,7 +83836,7 @@ index 1f22fba..eaf5bf9 100644
sysnet_read_config(virt_qmf_t)
optional_policy(`
-@@ -1183,9 +1210,8 @@ optional_policy(`
+@@ -1183,9 +1199,8 @@ optional_policy(`
########################################
#
@@ -83514,7 +83847,7 @@ index 1f22fba..eaf5bf9 100644
allow virt_bridgehelper_t self:process { setcap getcap };
allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin };
allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
-@@ -1198,5 +1224,65 @@ kernel_read_network_state(virt_bridgehelper_t)
+@@ -1198,5 +1213,65 @@ kernel_read_network_state(virt_bridgehelper_t)
corenet_rw_tun_tap_dev(virt_bridgehelper_t)
@@ -85717,7 +86050,7 @@ index 0cea2cd..7668014 100644
userdom_dontaudit_use_unpriv_user_fds(xfs_t)
diff --git a/xguest.te b/xguest.te
-index 2882821..cc48c69 100644
+index 2882821..32ace1c 100644
--- a/xguest.te
+++ b/xguest.te
@@ -1,4 +1,4 @@
@@ -85826,63 +86159,67 @@ index 2882821..cc48c69 100644
')
')
-@@ -84,88 +95,92 @@ optional_policy(`
+@@ -84,12 +95,17 @@ optional_policy(`
')
')
+
-+optional_policy(`
-+ chrome_role(xguest_r, xguest_t)
+ optional_policy(`
+- apache_role(xguest_r, xguest_t)
++ colord_dbus_chat(xguest_t)
+')
+
+optional_policy(`
-+ hal_dbus_chat(xguest_t)
-+')
-+
- optional_policy(`
- apache_role(xguest_r, xguest_t)
++ chrome_role(xguest_r, xguest_t)
')
optional_policy(`
-+ gnome_role(xguest_r, xguest_t)
-+')
-+
-+optional_policy(`
- gnomeclock_dontaudit_dbus_chat(xguest_t)
+- gnomeclock_dontaudit_dbus_chat(xguest_t)
++ dbus_dontaudit_chat_system_bus(xguest_t)
')
optional_policy(`
-- hal_dbus_chat(xguest_t)
-+ mozilla_run_plugin(xguest_t, xguest_r)
+@@ -97,75 +113,78 @@ optional_policy(`
')
optional_policy(`
- java_role(xguest_r, xguest_t)
-+ pcscd_read_pub_files(xguest_t)
-+ pcscd_stream_connect(xguest_t)
++ apache_role(xguest_r, xguest_t)
')
optional_policy(`
- mozilla_role(xguest_r, xguest_t)
-+ rhsmcertd_dontaudit_dbus_chat(xguest_t)
++ gnome_role(xguest_r, xguest_t)
')
optional_policy(`
- tunable_policy(`xguest_connect_network',`
+- tunable_policy(`xguest_connect_network',`
- kernel_read_network_state(xguest_t)
--
++ mozilla_run_plugin(xguest_t, xguest_r)
++')
+
++optional_policy(`
++ pcscd_read_pid_files(xguest_t)
++ pcscd_stream_connect(xguest_t)
++')
++
++optional_policy(`
++ rhsmcertd_dontaudit_dbus_chat(xguest_t)
++')
++
++optional_policy(`
++ tunable_policy(`xguest_connect_network',`
networkmanager_dbus_chat(xguest_t)
-- networkmanager_read_lib_files(xguest_t)
-+ networkmanager_read_lib_files(xguest_t)
+ networkmanager_read_lib_files(xguest_t)
+ ')
+')
-
-- corenet_all_recvfrom_unlabeled(xguest_t)
-- corenet_all_recvfrom_netlabel(xguest_t)
++
+optional_policy(`
+ tunable_policy(`xguest_connect_network',`
+ kernel_read_network_state(xguest_t)
-+
+
+- corenet_all_recvfrom_unlabeled(xguest_t)
+- corenet_all_recvfrom_netlabel(xguest_t)
+ corenet_tcp_connect_pulseaudio_port(xguest_t)
corenet_tcp_sendrecv_generic_if(xguest_t)
corenet_raw_sendrecv_generic_if(xguest_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index f29d961..051fb21 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
-Release: 4%{?dist}
+Release: 5%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -524,6 +524,27 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Wed Jan 16 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-5
+- Fix systemd_manage_unit_symlinks() interface
+- Call systemd_manage_unit_symlinks(() which is correct interface
+- Add filename transition for opasswd
+- Switch gnomeclock_dbus_chat to systemd_dbus_chat_timedated since we have switched the name of gnomeclock
+- Allow sytstemd-timedated to get status of init_t
+- Add new systemd policies for hostnamed and rename gnomeclock_t to systemd_timedate_t
+- colord needs to communicate with systemd and systemd_logind, also remove duplicate rules
+- Switch gnomeclock_dbus_chat to systemd_dbus_chat_timedated since we have switched the name of gnomeclock
+- Allow gpg_t to manage all gnome files
+- Stop using pcscd_read_pub_files
+- New rules for xguest, dontaudit attempts to dbus chat
+- Allow firewalld to create its mmap files in tmpfs and tmp directories
+- Allow firewalld to create its mmap files in tmpfs and tmp directories
+- run unbound-chkconf as named_t, so it can read dnssec
+- Colord is reading xdm process state, probably reads state of any apps that sends dbus message
+- Allow mdadm_t to change the kernel scheduler
+- mythtv policy
+- Update mandb_admin() interface
+- Allow dsspam to listen on own tpc_socket
+
* Mon Jan 14 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-4
- Allow systemd-tmpfiles to relabel lpd spool files
- Ad labeling for texlive bash scripts